Creating Kerberized Clusters With Cloudera Director
Using Cloudera Director 2.0 and higher with Cloudera Manager 5.5.0 and higher, you can create and configure Kerberized Cloudera Manager clusters. To launch a Kerberized cluster, edit the configuration file as described below and launch the cluster with Cloudera Director client, using the bootstrap-remote command to send the configuration file to a running Cloudera Director server.
Creating a Kerberized Cluster with the Cloudera Director Configuration File
A sample configuration file for creating Kerberized Cloudera Manager clusters is available on the Cloudera GitHub site: director-scripts/kerberos/aws.kerberos.sample.conf.
The settings for enabling Kerberos are in the Cloudera Manager section of the configuration file. Provide values for the following configuration settings:
| Configuration setting | Description |
|---|---|
| krbAdminUsername | An administrative Kerberos account with permissions that allow the creation of principals on the KDC that Cloudera Manager will be using. This is typically in the format principal@your.KDC.realm |
| krbAdminPassword | The password for the administrative Kerberos account. |
| KDC_TYPE | The type of KDC Cloudera Manager will use. Valid values are "MIT KDC" and "Active Directory". |
| KDC_HOST | The hostname or IP address of the KDC. |
| SECURITY_REALM | The security realm that the KDC uses. |
| AD_KDC_DOMAIN | The Active Directory KDC domain in the format of an X.500 Directory Specification (DC=domain,DC=example,DC=com). This setting is for Active Directory KDCs only. |
| KRB_MANAGE_KRB5_CONF | Set this to true. This allows Cloudera Manager to deploy Kerberos configurations to cluster instances. The value false is not supported for this configuration setting. |
| KRB_ENC_TYPES | The encryption types your KDC supports. Some of encryption types listed in the sample configuration file require the unlimited strength JCE policy files. |
Other Kerberos configuration options are available to Cloudera Manager. For more information, see Configuring Authentication in the Cloudera Security guide.
The following example shows the cloudera-manager section of a configuration file with MIT KDC Kerberos enabled:
cloudera-manager {
instance: ${instances.cm-image} {
tags {
application: "Cloudera Manager 5"
}
}
#
# Automatically activate 60-Day Cloudera Enterprise Trial
#
enableEnterpriseTrial: true
unlimitedJce: true
# Kerberos principal and password for use by Cloudera Director
krbAdminUsername: "principal@my.kdc.realm"
krbAdminPassword: "password"
# Cloudera Manager configuration values
configs {
CLOUDERA_MANAGER {
KDC_TYPE: "MIT KDC"
KDC_HOST: "KDC_host_ip_address"
SECURITY_REALM: "my_security_realm"
KRB_MANAGE_KRB5_CONF: true
KRB_ENC_TYPES: "aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc"
}
}
}